1. What is the GDPR?
The General Data Protection Regulation (GDPR) is an EU wide law that that sets strict rules on how personal data is collected, processed, and stored. It gives individuals rights such as access, correction, and erasure of their data, and requires organisations to have a lawful basis for processing personal information.
In Ireland, the Data Protection Act 2018 complements GDPR by addressing areas where national rules apply, such as enforcement powers, age of digital consent, and certain exemptions. Together, these laws form the backbone of data protection in Ireland.
2. Why does GDPR matter to Scout Groups?
GDPR applies to any organisation that processes personal data, regardless of whether it is a large company, a charity, or a small community group. The law exists to protect people’s privacy and ensure that their personal information is handled responsibly, securely, and only for appropriate purposes.
Scout Groups following the GDPR helps them protect the young people they work with, maintain trust within their community, and ensure that personal information is not lost, misused, or shared inappropriately. Children merit specific protection with regard to their personal data as they may be less aware of the risks and consequences and safeguards concerned and their rights in relation to the processing of personal data. All volunteers who handle or have access to personal information should understand the basic principles of data protection and follow their group’s procedures when collecting, storing, using, or sharing personal data.
You can find all Articles of the GDPR here. Data Protection Act 2018 Ireland is here.
3. What is Personal Data?
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number (e.g. membership number), location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
To clarify this means anything that directly or indirectly identifies a person example ‘John Murphy of abc Scout Group’ is directly identifying them or if we said “the group leader of abc Scout Group” –this would indirectly identify them.
Content about someone is also personal data, example an email or message where an individual is mentioned or discussed. Additional personal data regularly collected across Scout Groups are date of births, gender, contact information, medical details (noting this is sensitive data under GDPR) and photographs.
4. What is Special Category Data?
Some personal information is considered more sensitive under GDPR because it could put someone at risk if it’s misused. This type of information is called special category data, and it includes things like:
• Health and medical information (allergies, conditions, medication etc)
• Racial or ethnic background
• Religious or philosophical beliefs
• Trade union membership
• Sexual orientation
• Genetic or biometric data (e.g., fingerprints, facial recognition)
For Scouting Ireland, the most common special category data we handle is medical information needed to keep members safe during activities.
Special category data needs extra protection because misuse could harm someone’s safety, privacy, or rights. Under GDPR:
• We need a lawful basis to process it (like Contract, Consent or Legitimate Interests)
• We must also meet a special category condition under Article 9.
• We have to handle it carefully, securely, and only when necessary.
Example in Scouting
• Recording a child’s allergy or medical condition on a consent form → special category data
• Sharing that information with a first aider / paramedic in an emergency → allowed under Vital Interests
5. What is the Data Protection Commission (DPC)?
The DPC is the national independent authority responsible for upholding the fundamental rights of individuals in the EU to have their personal data protected. The DPC is the Irish supervisory authority for the General Data Protection Regulation (GDPR), and also has functions and powers related to other important regulatory frameworks including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive.
They are the go-to for organisations to report certain data breaches to and individuals can contact them to raise concerns or lodge complaints about how an organisation handles their personal data. The DPC may open an investigation if they receive a complaint in relation to the handling of personal data or if a data breach is reported to them. It is imperative that open communication with the DPC occurs and the Scout Group works with them to resolve any complaints. In the unlikely event your Scout Group is at the receiving end of a DPC investigation / complaint then please do not hesitate to reach out to the National office DPO (dataprotection@scouts.ie) for support and guidance.
6. What is a Data Controller?
A data controller is the person or organisation / entity that determines the purpose and means of processing personal data. In other words, they decide why and how personal data is collected, used, and stored. Under GDPR and the Data Protection Act 2018, the Data Controller is responsible for ensuring that all processing is lawful, transparent, and compliant with data protection principles.
As Scout Groups collect and process personal data, they hold at local level they are independent data controllers of this data and must ensure the relevant measures are in place to meet GDPR requirements. Examples of data collected and processed at local Scout Group level would be photographs, sign in sheets, group communications / messaging, medication record forms etc. The data held in the Membership system falls under a joint data controllership with Scouting Ireland National office.
7. What does this mean for Scout Groups?
Being an independent data controller means the Scout Group are responsible for the personal data collected solely for the purposes of their Scout Group, they need to follow the principles of GDPR.
1.0 Lawfulness, fairness and transparency: Valid reason to collect & process data, use it fairly and be open about what you are doing (privacy notices)
2.0 Purpose Limitation: Only use the data for the specific purpose you collected it for.
3.0 Data Minimisation: Only collect the information you truly need
4.0 Data Accuracy: Personal data must be kept correct and up to date. Very important for emergency contact and medical information
5.0 Storage Limitation: Don’t keep personal data for longer than necessary.
6.0 Integrity & Confidentiality: Personal data must be kept safe, secure, and protected.
8. I have received a Subject Access Request, what do I do?
If you receive a request for an individual's personal data, please see the SAR guidelines in Issuu on how to handle this. Remember you have 1 month to provide the requested data. You can always reach out to the SI’s Data Protection Officer (dataprotection@scouts.ie) for support and guidance.
9. I have been notified of a Personal data breach, what do I do?
All suspected personal data breaches which may result in risk to the individuals must be reported to the DPC within 72 hours of becoming aware of the breach.
A data breach policy and guidelines are available in Issuu, please ensure you and your Scout Group volunteers are aware of data breaches and what to do in the event of a breach of personal data.
Please note every Scout Group has the full support and guidance of Scouting Irelands Data Protection Officer and should reach out to them for support when needed.(dataprotection@scouts.ie).